Skip to main content

Aftermarket Dpc EUVDEUVD-2025-209077

| CVE-2025-55277 LOW
Use of Unmaintained Third Party Components (CWE-1104)
2026-03-26 HCL GHSA-34h3-v5r4-2979
2.6
CVSS 3.1 · NVD

Severity by source

NVD PRIMARY
2.6 LOW
AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

3
EUVD ID Assigned
Mar 26, 2026 - 13:15 euvd
EUVD-2025-209077
Analysis Generated
Mar 26, 2026 - 13:15 vuln.today
CVE Published
Mar 26, 2026 - 12:45 nvd
LOW 2.6

DescriptionCVE.org

HCL Aftermarket DPC is affected by Use of Vulnerable/Outdated Versions vulnerability using which an attacker may make use of the exploits available across the internet and craft attacks against the application.

AnalysisAI

HCL Aftermarket DPC version 1.0.0 contains outdated or vulnerable dependencies (CWE-1104) that expose the application to known public exploits, enabling authenticated attackers with low privileges to obtain limited information disclosure. The vulnerability requires user interaction and carries a low CVSS score of 2.6, but represents a supply chain risk where publicly available exploits targeting the embedded libraries could be weaponized against deployments. No public exploit code has been independently confirmed, and CISA has not flagged this for active exploitation.

Technical ContextAI

This vulnerability falls under CWE-1104 (Use of Unmaintained Third Party Components), a component supply chain weakness where HCL Aftermarket DPC incorporates outdated or unpatched libraries with known vulnerabilities. The CPE designation (cpe:2.3:a:hcl:aftermarket_dpc:*:*:*:*:*:*:*:*) indicates the entire Aftermarket DPC product line is potentially affected. Rather than a direct code flaw in the application itself, the risk stems from reliance on third-party components that have publicly disclosed vulnerabilities available in common exploit databases and repositories. Attackers can identify these components through fingerprinting and deploy known-working attack code without discovering novel vulnerabilities.

RemediationAI

Contact HCL support via the vendor security advisory at https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0129793 to obtain a patched release and detailed component inventory. If a patched version is available, upgrade Aftermarket DPC immediately. Pending vendor remediation, implement network-level controls: restrict access to Aftermarket DPC to authenticated internal users only, enforce TLS 1.2+ for all connections, and disable unnecessary features. Conduct a software composition analysis (SCA) scan of the deployment to identify specific vulnerable third-party libraries and cross-reference them against public exploit databases. If the vendor has not released a patch, request explicit timeline for remediation and interim compensating controls such as WAF rules or reverse proxy hardening to block known exploit signatures.

CVE-2025-55262 HIGH
8.3 Mar 26

SQL injection in HCL Aftermarket DPC version 1.0.0 enables unauthenticated remote attackers to extract sensitive databas

CVE-2025-55261 HIGH
8.1 Mar 26

Missing functional level access control in HCL Aftermarket DPC version 1.0.0 enables privilege escalation attacks that c

CVE-2025-55263 HIGH
7.3 Mar 26

Hardcoded credentials in HCL Aftermarket DPC version 1.0.0 enable authenticated low-privilege attackers with user intera

CVE-2025-55265 MEDIUM
6.5 Mar 26

HCL Aftermarket DPC version 1.0.0 is vulnerable to unauthenticated file discovery that allows remote attackers to read s

CVE-2025-55266 MEDIUM
5.9 Mar 26

HCL Aftermarket DPC versions up to 1.0.0 are vulnerable to session fixation attacks that enable attackers to hijack user

CVE-2025-55267 MEDIUM
5.7 Mar 26

HCL Aftermarket DPC versions prior to and including 1.0.0 suffer from an unrestricted file upload vulnerability (CWE-434

CVE-2025-55264 MEDIUM
5.5 Mar 26

Session invalidation failure in HCL Aftermarket DPC versions up to 1.0.0 allows authenticated attackers to maintain acti

CVE-2025-55268 MEDIUM
4.3 Mar 26

HCL Aftermarket DPC version 1.0.0 is vulnerable to excessive spamming that consumes server bandwidth and processing reso

CVE-2025-55273 MEDIUM
4.3 Mar 26

HCL Aftermarket DPC is vulnerable to Cross Domain Script Include (CWE-829) that permits unauthenticated remote attackers

CVE-2025-55269 MEDIUM
4.2 Mar 26

HCL Aftermarket DPC version 1.0.0 enforces weak password policies that enable attackers to conduct brute-force attacks a

CVE-2025-55275 LOW
3.7 Mar 26

HCL Aftermarket DPC versions up to 1.0.0 contain an admin session concurrency vulnerability that allows authenticated at

CVE-2025-55270 LOW
3.5 Mar 26

HCL Aftermarket DPC version 1.0.0 contains improper input validation (CWE-20) that enables multiple injection attack vec

Share

EUVD-2025-209077 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy